如何快速检查CodeIgniter中的GET和POST变量是否同时设置和为数字？

Question

How can I quickly validate if a GET or POST variable in CodeIgniter is both set and numeric for use as error or status messages in views?

It is very tedious to do something like this each time each time I want to check variables:

if ($this->input->get('error', True)) {
    if (is_numeric($this->input->get('error', True))) {
        $data['error'] = $this->input->get('error', True);
    }
}

Answer 1

get_numeric_input() for CodeIgniter

mixed get_numeric_input ( string $name [, bool $required = True [, string $source = "GET" [, bool *$xss_clean* = True ]]] )

Below is a function that I created because I was tired of checking if GET and POST variables existed and were numeric.

This was mainly used when handling errors or status messages, because I could use redirect("original_page.php?error=1"); to pass an error to the original page. On the original page, I could simply do if (isset($error)) { … } and display a message depending on the value. However, it was necessary to check these variables before sending them to the view in the interest of security. This process proved to be quite repetitive and tedious.

This function below is to be added to the bottom of wwwroot/application/system/core/Input.php

It is to be used as follows:

Example 1:

function index() {
   if ($error = $this->input->get_numeric_input('error', True, "GET", True)) {
      $data['error'] = $error;
   }
}

In this example, if $_GET['error'] is both set and numeric, it will set $data['error'] to that value. If it is either not set and/or not numeric, it will terminate the script.

Example 2:

function index() {
   if ($error = $this->input->get_numeric_input('error', False, "POST", True)) {
      $data['error'] = $error;
   }
}

In this example, if $_POST['error'] is both set and numeric, it will set $data['error'] to that value. If it is either not set and/or not numeric, it will continue and not set any values in the $data array.

The first argument is the variable name to be checked. The second variable is the boolean that makes the check required or not. If you have this set to TRUE, then if the variable is not set OR if it is not numeric, it will show an error and immediately terminate the script. If set to False, then it will will simply return False, and the script will move on. The third variable is either POST or GET, and will determine if the function looks for the variable in the $_GET or $_POST arrays. Finally, the fourth variable indicated whether or not the values will be XSS_CLEAN when returned.

NOTE: Both the second, third, and fourth arguments are optional, and default to True, “GET,” and True, respectively.

Here is the code:

function get_numeric_input($name, $required = True, $source = "GET", $xss_clean = True) {
    if ($source === "GET") {
        if ($this->get($name, $xss_clean)) {
            if (is_numeric($this->get($name, $xss_clean))) {
                return $this->get($name, $xss_clean);
            } else {
                if ($required) {
                    show_error("$source variable $name is not numeric!");
                    log_message('error', "$source variable $name is not numeric!");
                    return False;
                } else {
                    return False;
                }
            }
        } else {
            if ($required) {
                show_error("$source variable $name is not set!");
                log_message('error', "$source variable $name is not set!");
                return False;
            } else {
                return False;
            }
        }
    } elseif ($source === "POST") {
        if ($this->post($name, $xss_clean)) {
            if (is_numeric($this->post($name, $xss_clean))) {
                return $this->post($name, $xss_clean);
            } else {
                if ($required) {
                    show_error("$source variable $name is not numeric!");
                    log_message('error', "$source variable $name is not numeric!");
                    return False;
                } else {
                    return False;
                }
            }
        } else {
            if ($required) {
                show_error("$source variable $name is not set!");
                log_message('error', "$source variable $name is not set!");
                return False;
            } else {
                return False;
            }
        }
    }
}

Answer 2

A possible alternative is to extend the form validation so that you would have a way to validate $_GET aswell. Using the form validation library does save time imo (an extended version - fit to your needs - is advisable). CodeIgniter Validation: possible to validate GET query strings? talks about this.

Answer 3

Just use an intermediary variable, for a short and fast code:

$input_error = $this->input->get('error');
$data['error'] = ctype_digit($input_error) ? $input_error : FALSE;

If you really want a one-liner:

function validate_integer_input($input) {
    return ctype_digit($input) ? $input : FALSE;
}

$data['error'] = validate_integer_input($this->input->get('error'));

• $data['error'] will always be set, which is a good thing, because $data will always be set in your view, so you can simply do if ($data) instead of if (isset($data)) .
• When dealing with GET and POST input you have to know some aspects of typing. For the most important:
  • A GET/POST input, of course if it is set, is always of type string.
  • Only '' (empty) and '0' strings evaluate to FALSE, all other values evaluate to TRUE.
  • ctype_digit() expects a string, but this code may pass it FALSE (from CI->input). But it's fine, as FALSE casts to an empty string.

As a side note, XSS filtering is not needed for this case.

• XSS filtering has quite a performance impact and should be activated only when needed. A rule of thumb is that the filtering is needed for data which is displayed or included wherever in the HTML source.
• For this case, we already made sure the input can only contain digits, so we're safe.